Researchers Discover Leaked Nvidia Code-Signing Certificates Used to Spread Malware

Network Security

Last week, security researchers revealed that a hacking group had been involved in using leaked Nvidia code-signing certificates for malware purposes. As reported by Bleeping Computer, two expired certificates are currently being used by threat actors to gain remote access and install malicious drivers on targeted Windows machines.

For those unfamiliar, Windows requires that all kernel-mode drivers be code signed, and the OS provides a warning if the user attempts to install an application that is not signed by a trusted CA. However, some Windows devices may not be able to detect malware if the threat actor signs it off with a genuine Nvidia code.

Computer security expert Bill Demirkapi revealed on Twitter that the hackers are using the two compromised Nvidia code-signing certificates are to sign their drivers and executable files.

https://twitter.com/BillDemirkapi/status/1499437244830175236

The security researchers also spotted some malware samples signed with the expired Nvidia certificates on VirusTotal, a popular malware scanning service. The list of the hacking tools and malware includes Cobalt Strike Beacon, remote access trojans, backdoors, as well as Mimikatz.

Nvidia Code-Signing Certificates Used to Spread Malware

What is a code-signing certificate?

A code-signing certificate is a method developers use to sign a program, software update, or executable file before releasing them to the general public. In addition to all the information contained in the certificate (like the publisher’s name, location, etc.), the signature includes a timestamp that clearly indicates when the software was signed with the certificate. It helps users ensure that any unauthorized third party has not tempered the software and that it’s safe to download on their PC.

The Redmond giant is recommending IT Admins to review and configure Windows Defender Application Control (WDAC) policies to detect and block the installation of packages with expired code-signing certificates.

“WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need,” explained David Weston, director of enterprise and OS security at Microsoft.

Microsoft also advises end-users to download drivers or updates from the official Nvidia website. Meanwhile, we hope that the company will soon revoke the stolen code-signing certificates to prevent the distribution of malicious drivers.